Mobile platforms and operating systems may provide application programming interfaces (APIs). These APIs can allow applications to access functions on a mobile device. In order to use such API's, an application operating on the mobile device may need to be signed with a digital signature matching a digital signature of an API needed by the application.
A digital signature is a mathematical scheme for demonstrating authenticity of a software application or digital content. A valid digital signature gives a user or recipient reason to believe that the application was created by a known entity, such that the entity cannot deny having created the application and that the application was not altered during software distribution. Digital signing of an application generally requires a software developer to manually sign the application using an application signing tool. The digital signature can include an application type, an application certificate, and a timestamp. Because an application may need to be signed with a distinct signature for each API that the application may need to access on a mobile device, such a manual signing process becomes inefficient and time consuming.
Often, applications are published on online application marketplaces or “app stores” for subsequent download to mobile devices. For example, applications may be downloaded by users after purchasing them from an app store. Some application marketplaces may not permit publication of applications that have been digitally signed by a software developer more than once. The software developer may, however, need to digitally sign an application more than once for each API that the application may need to access on a mobile device. As a result, application developers are unable to publish applications that need to be signed more than once to such restricted marketplaces. Furthermore, applications may need to be signed each time a new version of the application is to be made available on an application marketplace. Repeated manual digital signing, often necessary during application development, leads to a delay in publishing the application on such marketplaces.
As the foregoing illustrates, a new approach for application signing may be desirable.